PfSense and Cisco 1841 site-to-site help?



  • I want to test site-to-site connection between pfSense and cisco 1841 (c1841-adventerprisek9-mz.124-24.T3) using IPSec. I have a friend that wants to help me with his cisco 1841, but something is wrong and tunnel does not work.

    Configuration:

    pfSense (LAN: 192.168.130.0/24, WAN: 93.152.XX.XX)
    – internet --
    cisco 1841 (LAN: 10.100.100.0/24, WAN: 95.111.XX.XX)

    pfSense log (in reverse order):

    Aug 18 12:53:31 	racoon: [Cisco]: ERROR: 95.111.xx.xx give up to get IPsec-SA due to time up to wait.
    Aug 18 12:53:01 	racoon: ERROR: Message: '4 '.
    Aug 18 12:53:01 	racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
    Aug 18 12:53:01 	racoon: [Cisco]: INFO: initiate new phase 2 negotiation: 93.152.xx.xx[0]<=>95.111.xx.xx[0]
    Aug 18 12:52:47 	racoon: [Cisco]: ERROR: 95.111.xx.xx give up to get IPsec-SA due to time up to wait.
    Aug 18 12:52:17 	racoon: ERROR: Message: '4 '.
    Aug 18 12:52:17 	racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
    Aug 18 12:52:17 	racoon: [Cisco]: INFO: initiate new phase 2 negotiation: 93.152.xx.xx[500]<=>95.111.xx.x[500]
    Aug 18 12:52:16 	racoon: [Cisco]: INFO: ISAKMP-SA established 93.152.xx.xx[500]-95.111.xx.x[500] spi:78f9f6b8ed3a4e56:d4a1d4dc9bf1516f
    Aug 18 12:52:16 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Aug 18 12:52:16 	racoon: INFO: received Vendor ID: DPD
    Aug 18 12:52:16 	racoon: INFO: received Vendor ID: CISCO-UNITY
    Aug 18 12:52:16 	racoon: INFO: begin Identity Protection mode.
    Aug 18 12:52:16 	racoon: [Cisco]: INFO: initiate new phase 1 negotiation: 93.152.xx.xx[500]<=>95.111.xx.x[500]
    Aug 18 12:52:16 	racoon: [Cisco]: INFO: IPsec-SA request for 95.111.xx.x queued due to no phase1 found.
    Aug 18 12:40:25 	racoon: [Self]: INFO: 93.152.xx.xx[500] used as isakmp port (fd=18)
    Aug 18 12:40:25 	racoon: [Self]: INFO: 192.168.12.254[500] used as isakmp port (fd=17)
    Aug 18 12:40:25 	racoon: [Self]: INFO: 192.168.130.254[500] used as isakmp port (fd=16)
    Aug 18 12:40:25 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
    Aug 18 12:40:25 	racoon: [Self]: INFO: 10.10.11.2[500] used as isakmp port (fd=14)
    Aug 18 12:40:25 	racoon: INFO: unsupported PF_KEY message REGISTER
    

    pfSense settings:
    Interface: WAN
    Local subnet: LAN subnet
    Remote subnet: 10.100.100.0/24
    Remote gateway: 95.111.xx.xx
    Phase1:
    Negotiation mode: main
    My identifier: My IP Address
    Encryption algorithm: 3DES
    Hash algorithm: SHA1
    DH key group: 2
    Lifetime: 28800
    Authentication method: Pre-shared key
    Pre-Shared Key: xxxx

    Phase 2
    Protocol: ESP
    Encryption algorithms: 3DES
    Hash algorithms: SHA1
    PFS key group: 2
    Lifetime: 3600

    Cisco 1841 configuration:

    cisco_router_rtr#sh cry ipsec sa
    
    interface: FastEthernet0/1
        Crypto map tag: vpn, local addr 95.111.xx.xx
    
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (10.100.100.0/255.255.255.0/0/0)
       remote ident (addr/mask/prot/port): (192.168.130.0/255.255.255.0/0/0)
       current_peer 93.152.xx.xx port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 45, #recv errors 0
    
         local crypto endpt.: 95.111.xx.xx, remote crypto endpt.: 93.152.xx.xx
         path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
         current outbound spi: 0x0(0)
         PFS (Y/N): N, DH group: none
    


  • The problem was on Cisco side - when pfSense site-to-site is not the first connection in config file tunel does not work.


Log in to reply